How to connect RHEL 6.7 to 2012 AD and login with AD Accounts??

Latest response

I need to be able to login to RHEL 6.7 servers using Active Directory accounts from a Windows 2012 Domain.
I've seen some information on the web, but nothing has worked for me so far.
Has anyone accomplished this?
Would appreciate it if someone could share what worked for them or point me to some info that they used.
Thanks!

Responses

Hello, the Red Hat Satellite User Guide has a section on using AD to authenticate users within the Configuring External Authentication chapter.

Stephen, the link you provided is for setting a Red Hat Satellite server. It seems Mark Smith has Red Hat Enterprise Linux systems (he didn't mention a satellite server) to log into a Windows 2012 Domain authenticating to AD.

Mark, a link to a paper on joining RHEL 6.7 servers to a windows domain is here https://access.redhat.com/articles/216933 (which leads to this pdf file at access.redhat.com).

This link is the RHEL 7.x Windows Integration guide (6.7 is in the preceding paragraph).

Hi Mark,

This works for me.

Create custom profile for AD users

vi /etc/profile.d/custom.sh Default prompt for AD Users

# if [ "$PS1" ]; then PS1="[\u@\h \W]\$ "; fi

Edit the Pluggable Authentication Module for winbind to only allow access to the authorised groups, otherwise anyone with an AD account will be able to SSH onto this server.

Find the SID of the groups that only have access to this server

wbinfo –n grp-cc-redhat-superusers-global

SID_DOM_GROUP (2)

vi /etc/security/pam_winbind.conf

require_membership_of = SID, SID, SID

system-config-authentication

Select Winbind enter your domain select security model domain specify an AD controller and under advance options select "create home dir on 1st login"

Now Join your domain using your AD admin creds.

service windbind restart

Now users in the correct group should be able to ssh onto this server using the AD credentials

ssh –l CC\userid servername

Thanks for those bits Jonathan

I had to use nbinfo --group-info=authorised_group because for some reason nbinfo -g authorised_group would never work.

Yeah... Mucking about with PAM to prevent SSH logins is a bit sub-optimal (heavy-handed). Use the configuration capabilities of the SSH service, itself (e.g., the AllowGroups functionality). Doing so tends to be a lot easier for other admins to follow.

Yes, you're correct, that's tremendously cleaner Tom...

I then remembered I had used this previously a long while ago on some servers right after I read your post! (face palm)

I'd agreed if SSH were the only way our users access the servers.

As 99.9% of our users are Windows users, they can't cope with a putty session, so I allow RDP access using xrdp to give them a pretty desktop.

Which has it's own group-based access limitation methods.

In general, we use per-application/service methods to allow/disallow groups. We've generally found that doing so is both more human-friendly and more-easily accommodates delegating non-conflicting accesses (i.e, can lock people out of one service while easily allowing them access to others).

Obviously, "YMMV".

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.